Closed
Description
Bug description
When connected to a Headscale server where MagicDNS is enabled, local name resolution doesn't work anymore on macOS.
For example without Tailscale enabled my machine receives DNS configuration via DHCP from my home router.
The home router runs its own DNS server and resolves <router_name> to its own IP address.
Once connected to the Headscale Tailnet, <router_name> can no longer be resolved.
With the official Tailscale coordination server on the other hand there is an explicit option whether local DNS resolution should be overriden or not. If the toggle to override local DNS resolution is turned off, the router name can still be resolved.
So this seems like a bug in how Headscale configures the Tailscale client.
Context info
- Version of headscale 0.15.0
- Version of tailscale 1.16.1
- OS macOS 12.4
config.yaml
dns_config:
base_domain: 'example.com'
domains: []
magic_dns: true
nameservers:
- 1.1.1.1
Output of scutil --dns
The output of scutil --dns looks different when connected to Tailscale vs Headscale.
Tailscale
DNS configuration
resolver #1
search domain[0] : internal.example.com (note: probably because I configured scutil --set HostName to be <machine_name>.internal.example.com)
search domain[1] : <my-email-address>.beta.tailscale.net
search domain[2] : ts.net
search domain[3] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2 - #65
domain : <64-127>.100.in-addr.arpa.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103002 - 103065
resolver #66
domain : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103001
resolver #67
domain : <my email address>.beta.tailscale.net.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103000
resolver #68
domain : ts.net.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103066
resolver #69
domain : internal.example.com (note: this resolver comes from corporate IPSec VPN that I am connected to as well. this corporate VPN does split-tunneling. it takes over DNS for this subdomain)
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 27 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101200
resolver #70
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #71
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #72
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #73
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #74
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #75
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 15 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #3
search domain[0] : internal.example.com
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 27 (utun4)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
resolver #4
search domain[0] : <my_email_address>.beta.tailscale.net
search domain[1] : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa
search domain[2] : 100.100.in-addr.arpa
search domain[3] : 101.100.in-addr.arpa
search domain[4] : 102.100.in-addr.arpa
search domain[5] : 103.100.in-addr.arpa
search domain[6] : 104.100.in-addr.arpa
search domain[7] : 105.100.in-addr.arpa
search domain[8] : 106.100.in-addr.arpa
search domain[9] : 107.100.in-addr.arpa
search domain[10] : 108.100.in-addr.arpa
search domain[11] : 109.100.in-addr.arpa
search domain[12] : 110.100.in-addr.arpa
search domain[13] : 111.100.in-addr.arpa
search domain[14] : 112.100.in-addr.arpa
search domain[15] : 113.100.in-addr.arpa
search domain[16] : 114.100.in-addr.arpa
search domain[17] : 115.100.in-addr.arpa
search domain[18] : 116.100.in-addr.arpa
search domain[19] : 117.100.in-addr.arpa
search domain[20] : 118.100.in-addr.arpa
search domain[21] : 119.100.in-addr.arpa
search domain[22] : 120.100.in-addr.arpa
search domain[23] : 121.100.in-addr.arpa
search domain[24] : 122.100.in-addr.arpa
search domain[25] : 123.100.in-addr.arpa
search domain[26] : 124.100.in-addr.arpa
search domain[27] : 125.100.in-addr.arpa
search domain[28] : 126.100.in-addr.arpa
search domain[29] : 127.100.in-addr.arpa
search domain[30] : 64.100.in-addr.arpa
search domain[31] : 65.100.in-addr.arpa
search domain[32] : 66.100.in-addr.arpa
search domain[33] : 67.100.in-addr.arpa
search domain[34] : 68.100.in-addr.arpa
search domain[35] : 69.100.in-addr.arpa
search domain[36] : 70.100.in-addr.arpa
search domain[37] : 71.100.in-addr.arpa
search domain[38] : 72.100.in-addr.arpa
search domain[39] : 73.100.in-addr.arpa
search domain[40] : 74.100.in-addr.arpa
search domain[41] : 75.100.in-addr.arpa
search domain[42] : 76.100.in-addr.arpa
search domain[43] : 77.100.in-addr.arpa
search domain[44] : 78.100.in-addr.arpa
search domain[45] : 79.100.in-addr.arpa
search domain[46] : 80.100.in-addr.arpa
search domain[47] : 81.100.in-addr.arpa
search domain[48] : 82.100.in-addr.arpa
search domain[49] : 83.100.in-addr.arpa
search domain[50] : 84.100.in-addr.arpa
search domain[51] : 85.100.in-addr.arpa
search domain[52] : 86.100.in-addr.arpa
search domain[53] : 87.100.in-addr.arpa
search domain[54] : 88.100.in-addr.arpa
search domain[55] : 89.100.in-addr.arpa
search domain[56] : 90.100.in-addr.arpa
search domain[57] : 91.100.in-addr.arpa
search domain[58] : 92.100.in-addr.arpa
search domain[59] : 93.100.in-addr.arpa
search domain[60] : 94.100.in-addr.arpa
search domain[61] : 95.100.in-addr.arpa
search domain[62] : 96.100.in-addr.arpa
search domain[63] : 97.100.in-addr.arpa
search domain[64] : 98.100.in-addr.arpa
search domain[65] : 99.100.in-addr.arpa
search domain[66] : ts.net
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
Headscale
DNS configuration
resolver #1
search domain[0] : internal.example.com
search domain[1] : <headscale namespace>.example.com
search domain[2] : <router DHCP domain_name>
nameserver[0] : 100.100.100.100
if_index : 27 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103400
resolver #2
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
order : 200000
resolver #3
domain : <headscale namespace>.example.com.
nameserver[0] : 100.100.100.100
if_index : 27 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103401
resolver #4
domain : internal.example.com
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101000
resolver #5
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #6
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #7
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #8
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #9
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #10
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 15 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #3
search domain[0] : internal.example.com
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 28 (utun3)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
resolver #4
search domain[0] : <headscale namespace>.example.com
nameserver[0] : 100.100.100.100
if_index : 27 (utun4)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
=> So it seems with Tailscale my resolver number 1 stays my router, even for the Tailscale namespaces, while with Headscale resolver number 1 is 100.100.100.100
Activity